Description
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_account() function in versions up to, and including, 1.2.0. The REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' is registered without any permission_callback, which causes WordPress to expose the endpoint to public, unauthenticated access. This makes it possible for unauthenticated attackers to soft-delete arbitrary accounting account records (wp_dac_accounts) by issuing a simple GET request to the endpoint with any account ID.
Published: 2026-06-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Devs Accounting plugin for WordPress is vulnerable to unauthorized deletion of accounting records because the delete_single_account() function lacks a permission callback, exposing the REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' to unauthenticated GET requests. An attacker can issue a simple HTTP request with any account ID and cause the plugin to mark the corresponding entry in the wp of financial data, violating integrity and potentially impacting business reporting.

Affected Systems

This flaw affects installations of the Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress up to and including version 1.2.0. WordPress sites that have not upgraded beyond 1.2.0 and rely on the plugin for managing accounting entries are vulnerable. The affected code resides in class-devs-accounting-accounts.php, where the delete route is registered without permission checks.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available, so uncertainty exists about current exploitation frequency. The issue is not listed in the CISA KEV catalog, but the lack of authentication for a destructive operation makes it attractive to attackers. Because the endpoint is publicly reachable, an unauthenticated adversary can trigger the deletion remotely over the network without requiring any credentials.

Generated by OpenCVE AI on June 24, 2026 at 09:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devs Accounting to a version that enforces proper permission checks on the delete-account REST endpoint.
  • If an upgrade is not possible, manually add a capability requirement to the REST route or remove the route entirely; alternatively, implement a plugin that blocks unauthenticated DELETE requests to that path.
  • Enable logging for REST API calls and review for unexpected delete-account activity; consider applying a firewall rule that requires authentication for this endpoint.

Generated by OpenCVE AI on June 24, 2026 at 09:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_account() function in versions up to, and including, 1.2.0. The REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' is registered without any permission_callback, which causes WordPress to expose the endpoint to public, unauthenticated access. This makes it possible for unauthenticated attackers to soft-delete arbitrary accounting account records (wp_dac_accounts) by issuing a simple GET request to the endpoint with any account ID.
Title Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Account Deletion via /delete-account/ REST Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T12:36:58.581Z

Reserved: 2026-05-21T14:37:49.953Z

Link: CVE-2026-9172

cve-icon Vulnrichment

Updated: 2026-06-24T12:36:55.388Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses